Cybersecurity regulation: 5 issues for companies

Commentary: Federal overnight of cybersecurity practices is coming

BrianZimmet

JasonWool

Terrence Horan/MarketWatch

WASHINGTON (MarketWatch) — Hardly a day seems to go by without news of a cyber-attack or dire warnings about the vulnerability of our nation’s critical computer networks.

Most people believe that the government must do more to regulate cybersecurity practices, particularly in industries that own or operate “critical infrastructure,” that is, infrastructure that could cause significant disruptions or damage to our daily lives if subjected to a cyber attack.

The owners and operators of such infrastructure — for example, oil and gas pipelines, chemical refineries, transportation systems, financial institutions, hospitals, nuclear reactors, dams and agricultural infrastructure — will likely see more government oversight of their cybersecurity practices in the coming years.

What will such regulation look like? How will a company’s cybersecurity practices and the ways in which it documents and implements them be affected by the increasing government oversight headed our way?

Obama's team takes shape with Hagel nomination

(4:20)

With the appointments of Chuck Hagel (Pentagon), John Brennan (CIA) and Jack Lew (Treasury), the composition of the Obama Administration picked up speed this week. What the nominations will mean for the President's second term.

The electric industry can provide some answers to these questions. It has been living the reality of mandatory cybersecurity regulation since 2005, when Congress granted reliability authority to the Federal Energy Regulatory Commission (FERC), and it has learned a few lessons in that time. Cybersecurity compliance has proven to be challenging, and even in the absence of hacking incidents it is not without its perils. In the last three years alone, the FERC has issued nearly $11 million in civil penalties against industry members for violations.

For critical infrastructure owners and operators outside of the electric industry, new regulation seems to on the horizon. The White House is preparing a new cybersecurity executive order that sources anticipate will be issued in the coming weeks.

Although compliance with new standards would likely be voluntary, the White House is expected to incorporate incentives for companies to comply with those requirements.

More importantly, the new standards could serve as the basis for tort liability for companies who do not adequately protect their IT systems. Longer-term, it is possible that Congress will enact new legislation to give the federal government — probably the Department of Homeland Security — new authority to regulate the cybersecurity practices of critical infrastructure owners and operators.

Legal jargon aside, what should a critical infrastructure owner or operator expect to see in these new cybersecurity regulations? Here are some key issues that could present themselves under the new standards:

Identification and protection of critical devices

The electric sector cybersecurity standards require industry members to identify cyber devices that are essential to the operation of certain physical assets deemed critical to the operation of the electric grid: control centers, power plants, transmission equipment, among others. Responsible entities must then protect these essential devices using a series of overlapping measures as part of a “defense in depth” strategy.

With debt ceiling, Washington finds a new quagmire

(6:07)

Leaders on Capitol Hill are in talks about raising the debt ceiling, a normally rudimentary procedure that now has Washington divided. Here’s how the talks likely will play out.

Protection of such essential cyber devices ranges from the use of controls such as firewalls and intrusion prevention systems, to controlling who has physical access to these devices. The same model is likely to form the core of any set of cybersecurity standards used in other sectors.

Patch management

Electric utilities rely on a host of software programs to support their operations, and security patches for these programs are released on a daily basis in response to newly discovered vulnerabilities. Prompt installation of these fixes is critical, as an application that goes un-patched can quickly lead to hacking, malware infection, or the exfiltration of sensitive data or files. The electric industry cybersecurity standards require responsible entities to assess all potentially applicable security patches within 30 days of the release date and, in most cases, to install the patch if it is found to apply. This can be a demanding task, particularly since developers’ practices vary as to announcing new patches. Patch management could be a feature of future cybersecurity performance requirements.

Intraday Data provided by SIX Financial Information and subject to terms of use.
Historical and current end-of-day data provided by SIX Financial Information. Intraday data
delayed per exchange requirements. S&P/Dow Jones Indices (SM) from Dow Jones & Company, Inc.
All quotes are in local exchange time. Real time last sale data provided by NASDAQ. More
information on NASDAQ traded symbols and their current financial status. Intraday
data delayed 15 minutes for Nasdaq, and 20 minutes for other exchanges. S&P/Dow Jones Indices (SM)
from Dow Jones & Company, Inc. SEHK intraday data is provided by SIX Financial Information and is
at least 60-minutes delayed. All quotes are in local exchange time.